Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Lets talk about End User Computing Because we worth it ...

App Volumes, load balancer health check

I recently had an issue with one of my App Volumes server: even if my server was down in an App Volumes point of view (connection lost the database), my Kemp load balancer see it up and running because: the web interface was up and favicon.ico was also available.

The template for App Volumes (part of Horizon 7 Template) is, in my opinion not complete and it missed the right way to configure health check

So the right way to configure load balancer ‘s health check is the following :

For Kemp :

Moving Workspace One Access database to a new MS SQL Server

I had to validate how to migrate WS1 Access database to another SQL Server.

This test concerns a dual-site configuration with 3 active nodes (R/W) on Site-A et 3 passive nodes on site B (R/O).

The first thing I did, was to set all nodes to passive (so read-only for all) so no more update will be done on the database.

After that I made a SQL backup of my database and copied it the new MS SQL Server.

VMware Horizon on Windows Server Core 2019

I recently have a customer requesting to install VMware Horizon on a Windows 2019 Core server. Most of customers prefer to have the “Desktop Experience” but for security reason some other prefer to limit to shell only interface.

Before installing VMware Horizon, ensure that all updates are applied to Windows 2019 Core (I had some strange behavior before doing that, like impossible to have the Flex Admin console or get “Login failed” on the new HTML 5 consoles)

The first main concern is getting signed certificate ready so Horizon will use it instead of its self signed certificate.

After copying the certificate in a local folder :

1 ) From the Administrator command prompt, type “powershell” to execute PowerShell command

PFX to PEM

When working on EUC and SDDC solutions (and yes now for everything) we have to use certificates.

I mostly used Microsoft Certificate Services for all my internal servers and a Public wildcard certificate for external access. So to create certificate, the best is to used the Windows MMC and the export the certificate as .PFX to get both the certificate and the private key used to generate it.

However some product like Workspace One Access ask for certificate as PEM format so I used the following script to convert PFX to PEM with OpenSSL.

It’s a batch script who need two arguments, the first one is the name of the certificate without the extension and the second argument is the password used to encrypt Private key

Eg. my PFX certificate is myserver.mydomain.local.pfx so I juste have to type : pfx2pem.bat myserver.mydomain.local mypassword

Composer Firewall Port

Ok by default Composer must be in the same domain or at list have Trust Relationship with domains where Linked Clone will be deployed….

But with Composer you can also deploy on other domains, the caveat however is that you can’t browse the OU on Horizon Admin console so you need to Copy/Past or write the full path for the correct OU.

That said, if you look at the firewall port required by Composer, unless 18433 between Horizon Connection Server (brokers) and Composer plus 1433 to join the Ms SQL Server, nothing is really explained and a doubt can exist about which port is required (and also who create account in the domain). So here the answer 🙂 :

First I confirm, Composer server is responsible to reach the AD domains and create Computer accounts. So the required port are :

Source                  Destination        Ports                 Service

Composer           AD Controllers   88/TCP                  Kerberos

Composer           AD Controllers   135/TCP               RPC

Composer           AD Controllers   389/TCP               LDAP

Unified Access Gateway and .local domain

Since recent release of Unified Access Gateway (I guess starting with 3.7 as I didn’t remember having any issue with version 3.6), the appliance is not using the configured DNS and when looking at /etc/resolv.conf it’s using a internal IP of 127.0.0.53 to perform queries.

After digging into internet I found some post about this and to make it short the solution is to edit /etc/systemd/resolved.conf and comment out “Domains=” and specify your local domain :

Internal View Composer error – another reason..

Ok, I know that View Composer is depreciated but sometime we don’t have other choice to use it, eg. when you need to deploy VMs is a more cost effective way than Full Clone on domain with no Trust Relationship with the one on which the brokers is joined to.

So I have a customer who have 3 domains with trust relationship:

  • dom-adm for all admin account
  • dom-res for all computers account (composer and brokers are on this domain)
  • dom-usr for all users accounts

We created a service account in dom-adm for Composer and added it to “Administrator” local group in Composer server.

When I tried to add Composer server on Horizon admin console, it failed with the “Internal View Composer error. Contact your administrator.” message and absolutely nothing into the log, both on Composer and Horizon logs (sic.)

I first suspected an issue with the certificate but even after putting a signed certificate the issue was the same.

Finally I created a service account for Composer in the dom-res domain and used it to add Composer on my vCenter… and it worked !!